Suspicious Polyfill Login Prompts on Toshiba and Muji Websites

In a recent security incident, tech giant Toshiba and mega-retailer Muji have alerted their website visitors about suspicious sign-in screens that could potentially collect login credentials. Both Japanese companies have urged users who entered their account information on these authentication screens to change their passwords immediately to safeguard their accounts.

The unauthorized login pop-ups were generated by an external service hosted at polyfill[.]io, which injected malicious code into scripts delivered through its content delivery network (CDN) back in 2024.

Toshiba issued a statement saying, “We have identified that certain parts of our website may display a sign-in screen similar to the one shown below. We are actively working to remove this screen, but if you encounter it, please select ‘Cancel’ without entering any personal information.”

Similarly, Japanese retail giant Muji also issued a warning to its website visitors regarding the presence of suspicious authentication screens generated by the external service polyfill[.]io.

Muji stated, “While we have not confirmed any unauthorized access or data breaches on our site, as a precautionary measure, we advise our customers to remain vigilant and consider taking appropriate actions.”

Both Toshiba and Muji have successfully resolved the issue and temporarily suspended their services to address the security concern. Other Japanese companies such as Zojirushi, FiNC Technologies, Ishiyaku Publishers, and Hobonichi were also affected by the same incident.

Security researcher Pasquale Pillitteri reported that Samsung Smart TVs and various websites encountered a similar login prompt on June 1st.

Reports suggest that the root cause of this issue traces back to the polyfill[.]io incident in 2024 when the domain was acquired by a Chinese entity that injected malicious scripts affecting over 100,000 websites utilizing the Polyfill service.

Polyfill serves as a JavaScript CDN catering to legacy browsers, enabling modern websites to function seamlessly by offering a compatibility layer for unsupported technologies.

Following the incident, the original creator of Polyfill, Andrew Betts, recommended website owners to remove the service from their platforms. He eventually relaunched the JavaScript CDN service under a new domain, polyfill.com, and later settled at polyfill.top.

Despite deactivating the service at polyfill[.]io, some websites utilizing the service failed to eliminate all remnants of Polyfill code over the past two years, leaving vulnerabilities in their systems.

Pillitteri highlighted that in late May 2026, the polyfill[.]io domain became active again, triggering HTTP 401 authentication requests. This led user browsers on websites like Toshiba and Muji to display unexpected login prompts, mistaking them for authentication requirements.

While there is no evidence of websites being compromised or login credentials being stolen through these rogue login screens, users are strongly advised to exercise caution when encountering unexpected authentication requests.